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Abstract 

The problem of secret sharing over the Gaussian wiretap channel is considered. A source and a 
destination intend to share secret information over a Gaussian channel in the presence of a wiretapper 
who observes the transmission through another Gaussian channel. Two constraints are imposed on the 
source-to-destination channel; namely, the source can transmit only binary phase shift keyed (BPSK) 
symbols, and symbol-by-symbol hard-decision quantization is applied to the received symbols of the 
destination. An error-free public channel is also available for the source and destination to exchange 
messages in order to help the secret sharing process. The wiretapper can perfectly observe all messages 
in the public channel. It is shown that a secret sharing scheme that employs a random ensemble of regular 
low density parity check (LDPC) codes can achieve the key capacity of the BPSK-constrained Gaussian 
wiretap channel asymptotically with increasing block length. To accommodate practical constraints of 
finite block length and limited decoding complexity, fixed irregular LDPC codes are also designed to 
replace the regular LDPC code ensemble in the proposed secret sharing scheme. 

I. Introduction 

Physical-layer security schemes exploit channel characteristics, such as noise and fading, to allow a 
group of nodes to share information in such a way that other unintended receivers (called eavesdroppers 
or wiretappers) cannot recover that secret information. Physical-layer security has often been studied in 
the context of the wiretap channel, which was first introduced by Wyner [1] and later refined by Csiszar 
and Korner [2]. In the wiretap channel, a source tries to send secret information to a destination at the 
presence of a wiretapper. When the source-to-wiretapper channel is a degraded version of the source-to- 
destination channel, Wyner [1] showed that the source can transmit a message at a positive (secrecy) rate 
to the destination by taking advantage of the less "noisy" channel to the destination. The degradedness 
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condition was removed in [2], which showed that a positive secrecy rate is possible for the case where the 
source-to-destination channel is "more capable" than the source-to-wiretapper channel. Generalization of 
Wyner's work to the Gaussian wiretap channel was considered in [3]. 

In Wyner's original paper, a code design based on group codes was described for the wiretap channel. 
In [4], a code design based on coset codes was suggested for the type-II (the destination channel is error 
free) binary erasure wiretap channel. Recently, the authors of [5] constructed low density parity check 
(LDPC) based wiretap codes for binary erasure channel (BEC) and binary symmetric channel (BSC). 
Reference [6] considered the design of secure nested codes for type-II wiretap channels. More recently, 
References [7] and [8] concurrently established the result that polar codes [9] can achieve the secrecy 
capacity of the degraded binary-input symmetric-output (BISO) wiretap channels. Note that all these 
designs are for codes with asymptotically large block lengths. 

In some scenarios, it is sufficient for two nodes to agree upon a common secret (a key), instead of 
having to send secret information from a source to a destination. Under this relaxed criterion, it is shown 
in [10] that, with the use of a feedback channel, a positive key rate is achievable when the destination 
and wiretapper channels are two conditionally independent (given the source input symbols) memoryless 
binary channels, even if the destination channel is not more capable than the wiretapper's channel. This 
notion of secret sharing is formalized in [11] based on the concept of common randomness between the 
source and destination. A three-phase process of achieving secret sharing over a wiretap channel with 
an additional public channel between the source and destination is suggested in [10]. The three phases 
are respectively advantage distillation, information reconciliation, and privacy amplification. Advantage 
distillation aims to provide the destination an advantage over the wiretapper. Information reconciliation 
aims at generating an identical random sequence at both the source and destination. Privacy amplification 
is the step that extracts a secret key from the identical random sequence agreed upon by the source and 
destination. 

Information reconciliation is probably the most studied and most essential part of any secret sharing 
scheme. Perhaps the most well known practical application of reconciliation protocols is quantum cryp- 
tography, where nonorthogonal states of a quantum system provide two terminals with observations of 
correlated randomness which are at least partially secret from a potential eavesdropper. Many works [12]- 
[18] have been devoted to the study of reconciliation for both discrete and continuous random variables 
in quantum key distribution schemes. For the case of discrete random variables, Cascade is an iterative 
reconciliation protocol first proposed by Brassard and Salvail in [12]. Recently, BSC-optimized LDPC 
codes have been employed in [18] to reduce the interactivity and improve the efficiency of Cascade. 
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On the other hand, the work on slice error correction [14], which converts continuous variables into 
binary strings and makes use of interactive error correcting codes, is the first reconciliation protocol for 
continuous random variables. Modern coding techniques like turbo codes [13] and LDPC codes [16], 
[17] have also been directly applied within information reconciliation protocols for continuous random 
variables. 

Another application of reconciliation protocols is secret key agreement over wireless channels. An 
LDPC code-based method of extracting secrecy from jointly Gaussian random sources generated by 
a Rayleigh fading model has been studied in [16]. In [17], multilevel coding/multistage decoding-like 
reconciliation with LDPC codes has been proposed for the quasi-static Rayleigh fading wiretap channel. 
In [19], punctured LDPC codes were employed in a coding scheme for the Gaussian wiretap channel 
to reduce the security gap, which expresses the quality difference between the destination channel and 
wiretapper channel required to achieve a sufficient level of security. The main idea of this scheme is to 
hide the information bits from the wiretapper by means of puncturing. In [20], further reductions in the 
security gap are achieved using a reconciliation scheme based on non-systematic LDPC codes along with 
scrambling of the information bits prior to encoding. 

In this paper, we consider the problem of secret sharing over the Gaussian wiretap channel with the 
constraints of binary phase-shift keyed (BPSK) source symbols and symbol-by-symbol hard-decision 
quantization at the destination. Our main goal is to develop a coding structure based on which practical 
"close-to-capacity" secret sharing (key agreement) codes can be constructed. Finite block length and 
moderate encoder/decoder complexity are the two main practical constraints that we consider when 
designing these codes. The secrecy performance of our designs will be measured by the rate of secret 
information shared between the source and destination (which will be referred to as the key rate) as well 
as the rate of information that is leaked to the wiretapper through all its observations of the wiretap and 
public channels (which will be referred to as the leakage rate). 

To rigorously gauge the secrecy performance of our code designs, we introduce the notion of relaxed 
key capacity in Section [IT] The relaxed key capacity is the maximum key rate that can be achieved over 
the wiretap channel provided that the leakage rate is bounded below a fixed value. In Section [Till we 



calculate the relaxed key capacities over the BPSK source-constrained Gaussian wiretap channel with 



and without the constraint of hard-decision quantization at the destination. In Section IV we present a 



secret sharing scheme employing an ensemble of regular LDPC codes for the BPSK-constrained Gaussian 
wiretap channel with hard-decision quantization at the destination. We prove that the proposed scheme 
achieves the relaxed key capacity with asymptotically large block length. We note that a similar LDPC- 
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based key agreement scheme employing observations of correlated discrete stationary sources at the 
source, destination, and wiretapper was studied in [15]. A more detailed comparison between our scheme 
and the one proposed in [15] is also provided in Section[TV] The asymptotic result in Section [TV] provides 
us a reasonable theoretical justification to design practical secret sharing schemes based on the proposed 
coding structure. We propose in Section [V] to replace the regular LDPC code ensemble in Section IV by 



fixed LDPC codes that are more amenable to practical implementation. In the same section, we describe 
a code search algorithm based on density evolution analysis to obtain good irregular LDPC codes for the 
proposed secret sharing scheme. We also compare the secrecy performance achieved by these irregular 
LDPC codes, BSC-optimized irregular LDPC codes, and some standard regular LDPC codes against the 



relaxed key capacity calculated in Section III Finally, conclusions are drawn in Section VI 



II. Secret Sharing and Relaxed Key Capacity 

We start by reviewing the framework of secret sharing proposed in [11]. The objective of secret 
sharing is for the source and destination to share secret information, which is obscure to the wiretapper, 
by exploiting common randomness [11] available to them through the wiretap channel. Here, we consider 
the wiretap channel to be memoryless and specified by the conditional probability density function (pdf) 
Py,z\x (y, z\x). When the symbol X is sent by the source, Y and Z denote the corresponding symbols 
observed by the destination and wiretapper, respectively. In addition, we restrict ourselves to cases in 
which Y and Z are conditionally independent given X, i.e., Py,z\x{u, z \ x ) = Py\x{v\ x )Pz\x{ z \ x )- This 



restriction is satisfied by the Gaussian wiretap channel considered in Section III and some other wireless 
wiretap channels [21]. For convenience, we will refer to the wiretap channel by the triple (X,Y,Z). 
In addition to the wiretap channel, there is an interactive, authenticated, public channel with unlimited 
capacity between the source and destination. The source and destination can communicate via the public 
channel without any power or rate restriction. The wiretapper can perfectly observe all communications 
over the public channel but cannot tamper with the transmitted messages. 

The aforementioned common randomness is to be extracted by a proper combination of transmission 
from the source to the destination through the wiretap channel (X, Y, Z) and information exchanges 
between them over the public channel. To this end, we consider the class of permissible secret sharing 
strategies suggested in [11]. Consider t time instants labeled by 1,2, ...,t, respectively. The wiretap 
channel is used n times during these t time instants at i\ < %i < ■ ■ ■ < i n . Set i n+ i = t. The public 
channel is used during the other (t — n) time instants. Before the secret sharing process starts, the source 
and destination generate, respectively, independent random variables Mx and My. Then a permissible 
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strategy proceeds as follows^ 

• At time instant < % < i\, the source sends message <5j = ^(Mx,^'" 1 ) to the destination, and 
the destination sends message *i = ^(My,^" 1 ) to the source. Both transmissions are carried 
over the public channel. 

• At time instant i = ij for j = 1, 2, . . . , n, the source sends the symbol Xj = Xj(Mx, ^ ) to 
the wiretap channel. The destination and wiretapper observe the corresponding symbols Yj and Zj. 
There is no message exchange via the public channel, i.e., <J?j and are both null. 

• At time instant ij < i < for j = 1,2, ... ,n, the source sends message <3?j = <£j(Mx, 

to the destination, and the destination sends message = $j(My , Y J , 3> 8_1 ) to the source. Both 

transmissions are carried over the public channel. 
At the end of the t time instants, the source generates its secret key K = K(Mx, and the destination 
generates its secret key L = L(My,7 n ,$'), where K and L take values from the same finite set /C. 

Slightly extending the achievable key rate definition in [11], for Ri > 0, we call (R,Ri) an achievable 
key-leakage rate pair through the wiretap channel (X, Y, Z) if for every e > 0, there exists a permissible 
secret sharing strategy of the form described above such that 

1) Pr{K / L} < e, 

2) ±I(K; <e, 

3) ll{K- Z n \ <Ri + e, 

4) \H{K) > R-e, and 

5) ±log 2 |£|< ±H(K) + e, 

for sufficiently large n. Condition 2 restricts that the public messages (the messages conveyed through the 
public channel) contain a negligible rate of information about the key, while Condition 3 limits to Ri the 
rate of key information that the wiretapper can extract from its own channel observations and the public 
messages. Note that Condition 3 is trivially satisfied if Ri > - log 2 \ JC\. We also note that Conditions 2 
and 3 combine to essentially give the original condition ^I{K; Z n , $*, < e of the achievable key 
rate definition in [11] when Ri = For the cases in which the alphabet of X is not finite, we also 

'Throughout the paper, A 1 stands for the sequence of symbols A\, A2, ■ ■ ■ , Ai, and A is null. 

2 When Ri > 0, if the combined condition ^I{K; Z n , < Ri + e is employed instead of Conditions 2 and 3, then it 

is easy to see that if (R, Ri) is an achievable key-leakage rate pair, (R + r, Ri +r) is also achievable, for any r > 0, by simply 
transmitting the additional key information (of rate r) through the public channel. Separating the two conditions as suggested 
avoids such artificial consequence of the combined condition. 
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impose the following power constraint to the symbol sequence X n sent out by the source: 

1 n 

-Y,\Xj\ 2 <p (i) 

with probability one (w.p.l) for sufficiently large n. We note that the idea of key-leakage rate pair is 
similar to that of the secrecy-equivocation rate pair originally defined in [1]. 

The Ri-relaxed key capacity is defined as the maximum value of R such that (R,Rj) is an achievable 
key-leakage rate pair. The main reason for us to introduce the notion of relaxed key capacity is to employ 



it as a gauge to measure the performance of practical codes that will be presented in Section V Since 
these codes have finite block lengths and are to be decoded by the belief propagation (BP) algorithm, 
they do not achieve zero leakage rate. Thus using the relaxed key capacity provides a more suitable 
comparison than using the original "straight" key capacity in [11]. Also, since these practical codes 
do not give zero leakage rate, their use could be considered as an information-reconciliation step. The 
secrecy performance could be further improved by additional privacy amplification. 

For wiretap channels that satisfy the aforementioned conditional independence requirement, we have 
the following result, whose proof is sketched in Appendix [T| 

Theorem 1: The i?;-relaxed key capacity of the memoryless wiretap channel (X, Y, Z) with conditional 
pdf p(y,z\x) = p(y\x)p(z\x) is given by 

C K {Ri) = max [min{/(X; Y) - I(Y; Z) + R h I(X; Y)}\ . 
X:E[\X\ 2 ]<P 

We employ this result to calculate the relaxed key capacities of the BPSK-constrained Gaussian wiretap 
channel in the next section. 

III. BPSK-CONSTRAINED GAUSSIAN WIRETAP CHANNEL 

Hereafter, we focus on the Gaussian wiretap channel, in which the source-to-destination channel and 
source-to-wiretapper channel are both additive white Gaussian noise (AWGN) channels. We restrict the 
source to transmit only BPSK symbols. More specifically, let Xj € {±1} be the ith transmit symbol from 
the source^} and let Yi and Zi be the corresponding received symbols at the destination and wiretapper, 
respectively. The Gaussian wiretap channel can then be modeled as 

Yi = /3X, + N t 

(2) 

Z i = aj3X i + N i , 



3 In later sections, whenever appropriate, we implicitly employ the mapping +1 — > and —1 — > 1, where and 1 are the 
two usual elements in GF(2). 
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where N{ and /Vj are i.i.d. zero-mean Gaussian random variables of variance a 2 . Note that /3 is the gain 
of the BPSK symbols transmitted by the source. By the source power constraint ([I]), we have f3 2 < P. 
Also, a is a positive constant that models the gain advantage of the wiretapper over the destination. Let 
the normalized gain j3 = /3 /a. Then, the received signal-to-noise ratios (SNRs) at the destination and 
wiretapper are f3 2 and a 2 /3 2 , respectively. Clearly, the Gaussian wiretap channel satisfies the memoryless 
and conditional independent properties required in Theorem [T] Specializing Theorem [T] to the BPSK- 
constrained Gaussian wiretap channel, it is not hard to show^] that the Ri -relaxed key capacity is given 
by 



Cb(Ri 



max 



mm 



2vr 



Jo 



Ho 



■ cxp 



[1 + e- 2 ~Py}[\ + e- 2a ^]J 
(y-/3) 2 {z-aP) 2 



l + e 



l + e 



-2a/3z 



Ho 



l + e 



cxp 



dydz + Ri , 1 

(y-/3) 2 



dy 



(3) 



'2-k Jo ~\l + e~ 2 Py 

where i?2(p) = —p^og 2 p — (1 — p) log 2 (l — p) is the binary entropy function. We note that Cb(Ri) is 
achieved when Xi is equiprobable; but it is not necessarily achieved by transmitting at the maximum 
allowable power P. 

The achievability proof of Theorem [T] (cf. Appendix [I]) employs random Wyner-Ziv coding, in which 
the received symbols at the destination need to be quantized due to the fact that the channel alphabet 
at the destination in the Gaussian wiretap channel is continuously distributed. In this paper, we consider 
a simple symbol-by-symbol hard-decision quantization scheme in which the zth quantized destination 
symbol Yi = sgn(Yi), where sgn is the signum function. Note that this quantization is suboptimal and 
leads to a loss in key capacity. We quantify this loss by applying Theorem [T] to the BPSK-constrained 
Gaussian wiretap channel with hard-decision quantization at the destination to calculate the relaxed-i?; 



key capacity Cb q (Ri)- Using the standard notation Q(x) = J 



oo e-" 2 / 2 
2tt 



du, it is not hard to establish that 



Cbq(Rl 



max 

0</3<v/t? 



mm{C s (P) - C w 0) + RuCM} 



(4) 



4 The proofs of {3} and |4} can be easily, though rather tediously, established by checking the concavity and symmetry of 
I(X; Y) — I(Y; Z) as a function of the binary source distribution in the respective cases. 
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where 

(7,03) = l-H 2 (Q(0)j (5) 

CM = 1 - f°° ff 2 C ^ ) + |1 -y 2 °" ) [1 + e-^le-^,, (6) 
V2vt Jo \ 1 + e~ 2a P z J 

are respectively the capacities of the quantized-destination-to-source and quantized-destination-to-wiretapper 

channels at the normalized gain (3. Like before, Cb q {Ri) is achieved when X% is equiprobable; but it is 

not necessarily achieved by transmitting at the maximum allowable power P. To visualize the loss in 



key capacity, Fig. 1 shows Cb(Ri) and Cb q {Ri) versus the maximum allowable SNR (P/a 2 ) for different 
values of Ri. We can see that the loss in key capacity due to the hard-decision quantization is no more 
than 0.07 bits per (wiretap) channel use for the cases shown. 

IV. Secret sharing scheme employing regular LDPC code ensembles 

The achievability proof of Theorem [T] in Appendix [I] employs a secret sharing scheme with random 
Wyner-Ziv coding. For the BPSK-constrained Gaussian wiretap channel with destination hard-decision 
quantization, we show in this section that a secret sharing scheme that employs a properly constructed 
ensemble of regular LDPC codes can also asymptotically achieve the R[ -relaxed key capacity. We will 
design practical secret sharing schemes for the BPSK-constrained Gaussian wiretap channel in Section [V] 
based on the LDPC coding structure proposed here. 

To start describing the proposed secret sharing scheme, let us consider an (n, I) binary linear block 
code C with 2 l distinct codewords of length n and an (I — A;) -dimensional subspace W in C. The pair 
(C, W) defines what we call an (n, I, k) secret sharing binary linear block code. Given any such (C, W) 
pair, let JC be the quotient of C by W. Then /C is a linear space of 2 k distinct cosets of the form x n + W, 
where x n e C. We will use the coset index in K, as the secret key. We will see later that the ordering of 
the cosets in K, is immaterial. The ratios R c = ^ and Rk = ^ will be referred to as the code rate and 
key rate of the (n, I, k) secret sharing binary linear block code, respectively. 

Next, we consider the following random ensemble of (n, I, k) secret sharing binary linear block codes: 

• The (n, I) linear block code C is chosen uniformly from the ensemble of (d v , d c ) -regular LDPC codes 
considered in [22]. That is, we consider that C is chosen uniformly from the set of all bipartite graphs 
[23] with n degree-dt, variable nodes and n — I degree-(f c check nodes. 

• The subspace W is chosen uniformly over the set of all possible (I — A;)-dimensional subspaces in 
C. 
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Note that a realization of the randomly chosen C may actually have 2 1 ' distinct codewords, where I' > I. 
In such case, /C will be of dimension k + V — I; so the actual key rate will be larger than R^. Hence, we 
can conservatively assume C is always an (n, I) linear code with 2 l distinct codewords to simplify the 
notation below. 

Consider the following secret sharing scheme: 

1) Random source transmission and destination quantization: The source randomly generates a 
sequence X n of n i.i.d. equally likely BPSK symbols and transmits them consecutively over the 
Gaussian wiretap channel (X,Y,Z). The destination receives the sequence Y n and obtains the 
quantized sequence Y n by performing symbol-by-symbol hard-decision quantization on Y n , i.e., 
Yj = sgn(lj). This quantization effectively turns the source-to-destination channel into a BSC, 
whose cross-over probability depends on the SNR of the original source-to-destination channel. 
We note that the wiretapper also observes Z n through the source-to-wiretapper channel. 

2) Syndrome generation through LDPC encoding at destination: The next step is for the destination 
to feed a compressed version of Y n back to the source through the public channel so that the source 
can resolve the differences between X n and Y n . This is similar to the problem of compressing 
an equiprobable memoryless binary source with side information using LDPC codes considered 
in [24]. More precisely, the destination selects (C, W) randomly from the ensemble of secret sharing 
(d v , d c )-regular LDPC codes described above. It then generates the syndrome sequence S n ~ l = 
Y n H T , where H is a parity check matrix of C. We note that each S n ~ l uniquely corresponds to 
a coset Eg+C. Further, the destination determines which coset in K, that Xq = Y n + Eg £ C 
belongs. Denote that coset by Xq + W. Finally, the destination sends Eg, C, and W back to the 
source via the public channel. 

3) Decoding at source: The source then tries to decode for Xq from observing X n and Eg according 
to (C, W). Treating X n + Eg as a noisy version of Xq, it performs maximum likelihood (ML) 
decoding to obtain a codeword in C and then determines which coset in K, that the decoded codeword 
belongs. Denote that coset by X n + W. 

4) Key generation at source and destination: The destination sets its key L to be index of Xq + W 
in K. Similarly, the source sets its key K to be the index of X n + W in K. 

It is clear that this secret sharing scheme is permissible. Indeed, under the notation of Section II] for the 
proposed secret sharing scheme, t = n + 1, ij = j for j = 1, 2, . . . , n, Mx = X n , My = (C, W), and 
^n+i = (Eg,C,W) is the only message sent via the public channel. Hence, we can evaluate the secrecy 



10 



performance of the scheme in the context of its achievable key rate defined in Section II as follows. 

First, based on the linearity of LDPC codes, the memoryless nature of the Gaussian wiretap channel, 
the chosen distribution of X n , and the symbol-by-symbol hard decision performed to obtain Y n at 
the destination, it is easy to check that H(Y n ) = n, H(Eg\C,W) = n - I, H(L\C,W) = k, and 
I(L\E§\C,W) = 0. Then, 

< I(L; E^,C, W) = I(L; C, W) = H(L) - H(L\C,W) < k - k = 0. 

Hence, I(L;E§,C,W) = 0, I(L;C,W) = 0, and H(L) = k. If the decoding process at the source 
achieves the ensemble average error probability e s , then we have Pi{K / L} < e s . Thus, H(K\L) < 
1 + ke s and H(L\K) < 1 + ke s by Fano's inequality. That in turn implies 

±I(K;E%,C,W) = ^[I(L;E%,C,W) + I(K;EIC,W\L)-I(L-,E%,C,W\K)\ 

< -I{K-E n s ,C,W\L)<-H(K\L)<R k e s + - 
n n n 



and 



-H(K) = 1 [H(L) + H(K\L) - H(L\K)\ > R k - R k e s - 1 . (7) 
n n n 



Hence, Conditions 2 and 5 in Section II are satisfied when n is sufficiently large if e s can be made 
arbitrarily small. Similarly, 

I(K;Z n ,E%,C,W) 

= I(L; Z n , E n s , C, W) + I(K; Z n , E%,C, W\L) - I(L; Z n ,E%, C, W\K) 

< I(L; Z n , E n s , C, W) + I(K; Z n , E%,C, W\L) 

< I{L-Z n ,E^,C,W) + H{K\L) 

< I(L-Z n ,E n s ,C,W) + ke s + l 

= I(L-Z n ,E n s \C,W) + ke s + l, (8) 
where the last line is due to the fact that I(L; C, W) = 0. Here, 

I(L;Z n ,E%\C,W) 
= H(L\C,W) + H(E%\Z n ,C,W) ~ H(L,E%\Z n ,C,W) 

= H(L\C, W) + H(E%\Z n , C, W) + H (Y n \Z n , L, E§,C, W) - H{L, E%, Y n \Z n , C, W) 
< H(L\C, W) + H(E%\C, W) + H(Y n \Z n , L, E%) - H(Y n \Z n , C, W) 

= H(L\C, W) + H(Eg\C, W) + H(Y n \Z n , L, Eg) — H(Y n ) + I(Y n ; Z n ), (9) 
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where the last equality follows from the fact that (Y n , Z n ) is independent of (C, W). Also I(Y n ; Z n ) = 
nI(Y;Z) = nC w ((3) because of the memoryless nature of the channel from Y n and Z n and of the 
fact that the Pr(Y = +1) = Pr(Y = —1) = 0.5 achieves the capacity of this channel. Moreover, 
consider a fictitious receiver at wiretapper trying to decode for Y n from observing Z n , Eg, and X$ (or 
L equivalently). Suppose that the ensemble average error probability achieved by this receiver, employing 
ML decoding, is e w . Then we have H(Y n \Z n , L, Eg) < 1 + (7 — k)e w again by Fano's inequality. Putting 
all these and (|9]) back into ([8]), we obtain 

-I(K;Z n \E%,C,W) < h(K;Z n ,E%,C,W) 

< C w (P)-(R c -R k )+R k e s + (R c -R k )e w + -. (10) 

n 

The preceding secrecy analysis of the proposed secret sharing scheme based on the secret sharing 
regular LDPC code ensembles allow us to arrive at the following result: 

Theorem 2: Fix j3 > 0. Suppose that C w ((3) < R c < C s (/3). For any Ri > 0, choose R k = min{i? c — 
C w (f3) + Ri,R c }- Then (R k ,Ri) is an achievable key-leakage rate pair through the BPSK-constrained 
Gaussian wiretap channel with symbol-by-symbol hard-decision destination quantization. Moreover, this 
rate pair can be achieved by the aforementioned secret sharing scheme using the secret sharing (d v , (ir- 
regular LDPC code ensemble described before when n increases. 

Proof: First, suppose that R c < C S {P) and R t > 0. Since R c > C W (J3), R k > 0. Then R c - R k = 
max{C U) (/?) — -R;,0} < C w ((3). Thus, by ( [TO] ), if we can show that there is a pair (d v ,d c ) such that 
R c = 1 — and both e s and e w in the preceding discussion vanish as n increases, then Condition 3 
in Section [n] will be satisfied when n is sufficiently large. From the preceding discussion, Conditions 
1, 2, and 5 will also be satisfied. Comparing §7§ and Condition 4, we see then that (R k ,Ri) will be an 
achievable key-leakage pair. The existence of such pair (d v , d c ) results from the following lemma, whose 
proof is an adaptation of the arguments in [25, Theorem 3] to the proposed secret sharing (d v , d c ) -regular 
LDPC code ensemble. The details are presented in Appendix [n] 

Lemma 1: Consider the ensemble average error probabilities and e s achieved by the respective 
ML decoders at the source and wiretapper of the secret sharing (d v , d c ) -regular LDPC code ensemble 
mentioned above. For any fixed [3 > 0, suppose that R c < C s ((3) and R c — R k < C w (f3). Then, there 
exists a choice of (d v ,d c ) such that 

1) Rc = i - i. 

2) decreases exponentially (polynomially) with increasing n for R k > (for R k = 0), and 

3) e s decreases polynomially with increasing n. 
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Finally, note that the before-imposed restrictions R c < C s (j3) and Ri > can be removed since the 
key-leakage rate region is closed. ■ 
A comparison of Theorem [2] and Q shows that the restriction to the secret sharing regular LDPC code 
ensemble described in this section does not reduce the relaxed key capacity of the BPSK-constrained 
Gaussian wiretap channel with destination hard-decision quantization. 



As mentioned in Section I a similar LDPC-based secret-key agreement scheme employing observations 
of correlated discrete stationary sources at the source, destination, and wiretapper was studied in [15]. 
After Step 1) of our proposed secret sharing scheme, the observations X n , Y n , and Z n at the three 
terminals can be viewed as generated from correlated sources; thus reducing our model to the one 
considered in [15 J] except that the wiretapper alphabet is continuous in our case. As in our scheme, 
the scheme in [15] has the syndrome S n ~ l of Y n sent to the source. On the other hand, the key in [15] 
is obtained by calculating the syndrome of Y n with respect to another independently selected LDPC 
code. The scheme in [15] is shown to achieve key capacity via a similar approach as ours. First, the 
consideration of leakage information is converted to that of the error probabilities achieved by decoders 



at the source and wiretapper by an upper bound similar to (10 1 for a pair of fixed LDPC codes (cf. 



Eqn. (pTTp) . Then, the existence of a fixed code pair with vanishing error probabilities is shown via an 
ML decoding error analysis of the code ensemble based on the method of types [26]. Because of the 
continuous wiretapper alphabet, the ML decoding error analysis in [15] does not directly apply to our 
case. Hence, we have opted for the combined union and Shulman-Feder bounding technique in [25], 
which does however require the BISO nature of the channel from the (quantized) destination to the 
wiretapper. Obviously, Lemma [I] also implies the existence of a fixed (C,W) from the secret sharing 
regular LDPC ensemble with vanishing decoding errors in our design, and hence the use of this fixed 
(C,W) is also sufficient to achieve the relaxed key capacity in our case. 

Expressed in our notation, elements in the LDPC code ensemble of [15] are also of the form (C, W). 
For our ensemble, W is (conditionally) uniformly distributed over the set of all subspaces of a given 
C. For the ensemble of [15], W is (conditionally) uniformly distributed over the set of subspaces of C 
specified by the concatenation of the parity matrices of C and another properly chosen regular LDPC 
code. While each element in the ensemble of [15] is also an element of our ensemble, the two ensembles 
are different since the respective (conditional) uniform distributions for W are defined over two different 



5 Our destination and source correspond to the sender and receiver in [15], respectively. For convenience, we employ our 
terminology here when referring to the scheme in [15]. 



13 



sets of subspaces. In a sense, the ensemble of [15] is more restrictive since W also needs to be an LDPC 
code. The discussion in this section shows that the LDPC structure needs to be imposed only on C but 
not on W. This bears significance in the design of practical codes because the design based on one LDPC 
structure derived from our ensemble is much simpler, as will be illustrated in the following section. 

V. Secret sharing scheme employing practical LDPC codes 

In practice, it is not realistic to employ the secret sharing regular LDPC code ensemble and ML 
decoding at the source as suggested in Section IV) for even moderate values of n. In this section, we 



investigate the secrecy performance of a secret sharing scheme similar to the one suggested in Section IV} 
but with fixed choices of (C, W) from the secret sharing regular LDPC code ensemble and more-practical 
BP decoding. In addition, from the proof of Lemma [T] in Appendix [n| the values of d v and d c need to 
be large in order for the ensemble average error probabilities e w and e s to decrease with n, and hence to 
achieve the relaxed key capacity. As large values of d v and d c increase the graph complexity of a LDPC 
code, and hence the complexity of BP decoding, we have to limit ourselves to small values of d v and 
d c . To alleviate the shortcoming of regular LDPC codes with small d v and d c , we also consider the use 
of more-efficient irregular LDPC codes in the proposed secret sharing scheme. 



We consider the secret sharing scheme described in Section IV except that the secret sharing code 
(C, W) is fixed and is known to the source and destination (and also the wiretapper) beforehand. Here, we 
consider the (fixed) code C chosen from ensembles of regular and irregular LDPC codes. The details will 
be discussed later. For convenience in the key generation step (and later in the search of good irregular 
LDPC codes), the subspace W is chosen as follows. Referring back to Step 2) of the scheme, choose 
a lower triangular version^ of H, for example by performing Gaussian elimination on the connection 
matrix of the bipartite graph of C as discussed in [27]. Hence, H = [A, B] where B is an (n — l)x(n — I) 
lower triangular matrix. Write Y n = [d l , e n ~ l ] where d l and e n ~ l are row vectors containing / and n — I 
elements, respectively. Then the syndrome S n ~ l = d l A T + e n ~ l B T , codeword Xq = [d l , d l A T (B~ 1 ) T ] 
and coset leader Eg = [0 T , S n ~\B~ 1 ) T ]. Note that d l contains the systematic bits of the codeword 
X'q while S A T (B~ 1 ) T contains the parity bits. The subspace W is chosen to be the set of codewords 
obtained by setting the first k bit^] in the vector d l above to zero. The quotient space K, is isomorphic 
to the set of codewords obtained by setting the last / — k bits in the vector d l to zero. Hence we can 

6 We can, without loss of generality, assume H to be of full rank as discussed before. Alternatively, an approximate lower 
triangular version of H as described in [27] can also be used if efficient encoding is needed. 

7 lt is easy to see that the secrecy performance is the same for any choice of k bits in d l for the BP decoders described below. 
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use the first k bits in d l as the key. Since (C, W) is known to the source beforehand, there is no need to 
feed it back to the source via the public channel in Step 2) of the secret sharing scheme. Step 3) of the 
scheme is modified to replace ML decoding by the practical BP decoding. 

First, it is unlikely that the above fixed choice of W results in an LDPC code. Hence, the fixed coding 



scheme suggested here is different from that of [15]. Second, the secrecy analysis of Section IV can be 
easily modified to reflect the use of the fixed secret sharing code (C, W) mentioned above. In particular, 



the upper bound on the leakage rate in ( [10] ) becomes 

-I(K- Z n \E%) < C w 0) - (R c - R k ) + R k e s + (R c - R k )e w + -, (11) 
n n 

where e s and e w are now the error probabilities achieved by the BP decoders at the source and wiretapper, 

respectively. Since the bound above is derived from Fano's inequality, it applies for any decoder (ML, 

BP, etc.), and the value of the bound depends on the choices of decoders only through e s and e w . Below, 

we perform computer simulation to estimate e s and e w and then employ ( fTT| ) to bound the leakage rates 

achieved by (C,W) constructed from different choices of finite block length LDPC codes as described 

above. More specifically, suppose that the key rate of a secret sharing LDPC code (C,W) is R k and e s 

obtained from simulation is small. By setting Ri to be the value of the bound ( fTT| ) obtained as described, 

then (Rk,Ri) will be considered a key-leakage rate pair achievable by (C,W). 



A. Secret sharing regular LDPC codes 

We start by evaluating the secrecy performance of using regular LDPC codes with small d v and d c 
in the secret sharing scheme described above. First, we pick C from the rate-0.25 (3, 4)-regular LDPC 
code ensemble by realizing the random bipartite graph experiment described in [22] and then remove 
all length-4 loops in the realization. The block length n of the LDPC code is set to 10 5 . As mentioned 
above, we need to estimate the values of e s and e w from computer simulation. To get e s , BP decoding 
is implemented at the source. Similarly, a BP decoder is implemented for the fictitious receiver at the 
wiretapper to obtain e w . In order to provide information about L to the latter decoder, the intrinsic log- 
likelihood ratios (LLRs) of the first k elements in d l , which are associated with L, are explicitly set to 
±oo according to the true bit values. While this method may not be the optimal way to feed information 
of L to the BP decoder, we choose to employ it because of its simplicity and the fact that this method 
also allows simple density evolution analysis, which will be used to search for good irregular LDPC 
codes in ISection V-BI below. 



15 



Fig. 2 shows the trajectory of (Rk, Ri) achievable by the rate-0.25 secret sharing (3, 4)-regular LDPC 
code (C, W) when the maximum allowable SNR P/a 2 is limited to —0.15 dB and a 2 = dB. Different 
values of Rk on the trajectory shown are obtained by varying the value of k (i.e., the dimension of W 
also changes). When obtaining each shown pair (Rk, Ri), we choose /3 2 , up to P/a 2 , such that e s < 0.01, 



e w < 0.01 and the bound in ( [TT] ) is minimized. For any so-obtained pair (Rk, Ri) located to the right of 
the 45° line in Fig. [2] the bound ( [TT] ) becomes too loose, and the pair is not plotted. From Fig. 2 



we 



observe that the pair (Rk, Ri) = (0.2, 0.139) gives the smallest (bound on) leakage rate that is achievable 
by the rate-0.25 secret sharing (3, 4)-regular LDPC code in the proposed scheme. 

Next, we try to compare the secrecy performance of our secret sharing scheme to that of [15]. As 



discussed near the end of Section IV the scheme of [15] requires a pair of independently chosen regular 
LDPC codes. Since no practical code designs or examples are provided in [15], we choose an LDPC code 
pair for the scheme of [15] that is similar to the choice of our secret sharing code above for comparison. 
For the scheme of [15], the first LDPC code is set to be C above (i.e., the rate-0.25 (3, 4)-regular LDPC 
code). The other code C (from which the secret key is generated) is chosen independently from another 
regular LDPC code ensemble such that a desired key rate Rk is resulted (cf. [5]). Note that only a few 
values of Rk are possible if d v and d c are restricted to have small values. Again, as discussed near the end 



of Section IV the pair (C,C) can be expressed in our (C, W) notation. As such, the LDPC subcode W 
is obtained from concatenating parity-check matrices of C and C'. Note that W is in general an irregular 
LDPC code. To clearly distinguish between our scheme and the one of [15] in the discussion below, we 



will employ the notation (C,C) when referring to the latter. The bound (111 is employed to determine 
the rate pairs (Rk,Ri) that can be achieved by (C,C), same as described before. 

Under the parameter setting above (P/a 2 = —0.15 dB, a 2 = dB, and n = 10 5 ), we are not able to 
find a choice of C (with small d v and d c ) that satisfies the requirement e w < 0.01. In order to illustrate 
the comparison between the two schemes, we increase the value of P/a 2 to 2.0 dB. For this case, we 
pick C to be a rate-0.4 (3, 5)-regular LDPC code. The (Rk, i?/)-trajectory achieved by our secret sharing 



scheme with (C, W) is overlaid in Fig. 2 We see that the lowest leakage rate achieved by this choice of 
(C, W) is at the pair (R k , Ri) = (0.22, 0.173). For the scheme of [15], picking C to be an (1, 3)-regular 
LDPC code, the pair (C,C) achieves the key-leakage rate pair (Rk, Ri) = (0.333, 0.286) as shown by the 
square symbol in Fig. 2[ This value of Ri is the lowest that we can obtain from picking many different 
C with small d v and d c . 

Summarizing the above results, our secret sharing scheme outperforms the scheme of [15] when the 
respective code employed in each scheme is restricted among the choices of regular LDPC codes with 
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small node degrees and finite block lengths. However, we can observe that there is a significant gap 
between the (Rj~,Ri) pairs achieved by the proposed scheme and the maximally achievable (Cb q , Ri) 
key-leakage pair boundary. This illustrates that regular LDPC codes with small d v and d c and finite block 
length do not provide good secret sharing performance. 



B. Secret sharing irregular LDPC codes 

To improve secret sharing performance, we search for "good" irregular LDPC codes to be used as C in 
the proposed scheme. The structure of secret sharing code (C, W) described in the beginning of this section 
facilitates the code search process because only the LDPC structure of C needs to be optimized. Such 
optimization can be performed by employing the density-evolution based linear programming technique 
suggested in [28]. The search objective is to find an irregular LDPC secret- sharing code (C,W) with 
maximum R c , given a fixed Rk such that both the decoding error probabilities e s and e w in ( [TT] ) are 



vanishing as the BP decoders iterate. By ( |TT| ), this results in minimization of the bound on Ri for the 
fixed Rk- 

Using standard notation, let the variable and check node degree distribution polynomials of an irregular 
LDPC code ensemble be, respectively, X(x) = Yli=2 ^i 2 ^ -1 an d p{x) = Yli=2 Pi 37 * -1 ' where Xi(pi) 
represents the fraction of edges emanating from the variable (check) nodes of degree i. We are to design 
an irregular LDPC code C and its subcode W that work well for the channel from the (quantized) 
destination to source and the channel from the (quantized) destination to wiretapper, corresponding to 
the error probabilities e s and e w , respectively. Fix p(x), and let e s (£) and e w (£) denote the bit error 
probabilities obtained by the BP decoders at the source and wiretapper, respectively, at the £th density 
evolution iteration [22], [28] when an initial X(x) = Yli=2 ^i x% ~ 1 * s used. Now, let Agj denote the bit 
error probability obtained at the source by running the density evolution for £ iterations, in which X(x) 
is used as the variable node degree distribution for the first £ — I iterations and the variable node degree 
distribution with a singleton of unit mass at degree j is used for the final iteration. Let Bpj denote the 
similar quantity for bit error probability obtained at the wiretapper. Then, we have e s {£) = Y^j=2 Ae,j^~j 
and e w {£) = X^=2^,j'\r Note that the values of Ag t j and Bgj are obtained via density evolution. To 
account for the availability of perfect information of the k bits corresponding to the key at the wiretapper's 
BP decoder, the intrinsic LLR distribution entered into the density evolution analysis for the wiretapper's 
decoder is set to be a mixture of the distribution of the channel outputs at the wiretapper (with the 
quantized destination symbols as the channel input) and an impulse at +oo. The weights of the two 
components in the mixture are determined by the value of R^. 
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Let e > be a small prescribed error tolerance. Suppose that X(x) satisfies the property that e s (M s ) < e 
and e w (M w ) < e, for some integers M s and M w . Then, we can frame the i? c -maximizing code design 
problem as the following linear program: 



subject to 



A- 

max > — 



i=2 



^%A 3 -e s (£) 
i=2 



Aj > for 2 < i < d v , 

< max[0, <5(e s (i - 1) - e s {£))}, f or 1 < £ < M s 

< max[0,5(e w (£ - 1) - e w (£))], for 1 < £ < M u 



for 1< £ < M q 



for 1< £ < M„ 



^ -BijAj - e^(£) 
i=2 

J^AejXj <e s (£-l) 
i=2 

i=2 

where d„ here is the maximum allowable degree of X(x) and 6 is a small positive number. The solution 
X(x) of the above linear program is then employed as the initial X(x) for the next search round. The 
search process continues this way until e s (M s ) or e w (M w ) becomes larger than e, or until A(x) converges. 
We can also fix A(x) and obtain a similar linear programming problem for p(x). The iterative search can 
then alternate between the linear programs for A(x) and p(x), respectively. 

The secret sharing irregular LDPC codes presented below are obtained from the code search proce- 
dure described above starting with BSC-optimized LDPC codes, which are available from Urbanke's 



website [29]. Fig. 3 shows the (R^, it^) -trajectory achieved by a rate-0.25 secret sharing irregular LDPC 
code obtained by performing the above search with set to 0.155 for the BPSK-constrained Gaussian 
wiretap channel when P/a 2 = —1.5 dB and a 2 = dB. The degree distribution pair of this secret 



sharing irregular LDPC code is shown in Table I We obtain an instance of the irregular code by randomly 
generating a bipartite graph which satisfies the two given degree-distribution constraints. Similar to the 
case of regular codes, the block length n = 10 5 , and all length-4 loops are removed. Each shown (Rk, Ri) 



pair is obtained in the same manner as described in Section V-A by using ( |TT| ). From Fig. 3 we observe 
that the pair (Rk,Ri) = (0.155,0.025) gives the lowest leakage rate achievable by this secret sharing 
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irregular LDPC code. For comparison, we also plot in Fig. 3 the (Rk, Ri) -trajectory achieved by the 
proposed secret sharing scheme using a rate-0.25 BSC-optimized irregular LDPC code in place of the 
secret sharing irregular LDPC code obtained from the code search described above. Note that since the 
channel from the (quantized) destination to the source is a BSC, the use of the BSC-optimized LDPC 
code is essentially the same as the reconciliation method proposed in [18]. For the BSC-optimized code, 
the pair (Rk,Ri) = (0.2,0.071) gives the lowest achievable leakage rate. 



Similarly, Fig. 4 shows the secrecy performance of the proposed scheme when P/a 2 = —4.9 dB and 
a 2 = 5 dB. A rate-0.12 secret sharing irregular LDPC code is obtained by fixing R^ to 0.06 in the code 
search. The degree distribution pair of this secret sharing irregular LDPC code is also shown in Table [I] We 
observe that the lowest leakage rate achieved by this code is given by the pair {Rk, Ri) = (0.062, 0.019). 
Again, for comparison, the (Rk, i?;)-trajectory achieved by replacing the secret sharing irregular LDPC 
code obtained from the code search with a rate-0.12 BSC-optimized irregular LDPC code is also shown 
in |Fig. 4| For the BSC-optimized irregular LDPC code, the pair (Rk,Ri) = (0.095,0.052) gives the 



lowest achievable leakage rate. In conclusion, the secret sharing irregular LDPC codes obtained from the 
proposed code search procedure significantly outperform, in terms of secrecy performance, secret sharing 
regular LDPC codes with small node degrees as well as irregular LDPC codes that are optimized just 
for information reconciliation. 



VI. Conclusions 

In this paper, we developed schemes based on LDPC codes to allow a source and a destination to share 
secret information over a BPSK-constrained Gaussian wiretap channel. In the proposed secret sharing 
schemes, the source first sends a random BPSK symbol sequence to the destination through the Gaussian 
wiretap channel. Then, the destination generates a syndrome of its quantized received sequence using 
an LDPC code and sends this syndrome back to the source via the public channel. Finally, the source 
performs decoding to recover the quantized destination sequence based on its transmitted sequence, as 
well as the syndrome that it receives from the destination. The secret key is obtained as the index of a 
coset in a quotient space of the LDPC code. 

To evaluate the performance of the proposed secret sharing scheme, we employed an upper bound 
on the leakage information rate that depends on the decoding error probabilities of the decoder at the 
source and of a fictitious decoder at the wiretapper, which observes the wiretapper received sequence, 
the syndrome in the public channel as well as the secret key. The design was then converted to making 
these error probabilities small. For a suitably chosen ensemble of regular LDPC codes, we showed that 
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these error probabilities can indeed be made vanishing, as the block length increases, by ML decoding. 
As a result, this established that the key capacity of the BPSK-constrained Gaussian wiretap channel can 
be achieved by employing the secret sharing regular LDPC code ensemble in the proposed scheme. 

Considering the practical constraints of finite block length and using BP decoding instead of ML 
decoding, we employed a density-evolution based linear program to search for good irregular LDPC 
codes that can be used in the secret sharing scheme. Simulation results showed that the secret sharing 
irregular LDPC codes obtained from our search can get relatively close to the relaxed key capacity of the 
BPSK-constrained Gaussian wiretap channel, significantly outperforming regular LDPC codes as well as 
irregular LDPC codes that are optimized just for information reconciliation. 



Finally, we point out that the arguments in the proof of Theorem 2 can be modified to show the 
existence of an LDPC code (from the same regular LDPC code ensemble considered in Section IV) that 
achieves the secrecy capacity [1], [3] of the Gaussian wiretap channel with the BPSK source-symbol 



constraint. The code search approach described in Section V-B can also be employed to find irregular 
LDPC codes that give secrecy performance close to the boundary of the secrecy-equivocation rate region 
of that channel. 



Appendix I 
Sketch of Proof of TheoremQ] 

The proof of [21, Theorem 2.1], which corresponds to the case when Ri = 0, can be easily extended 
to accommodate Conditions 2 and 3 in the definition of achievable key-leakage rate pair. 

First, consider the converse proof. Any permissible secret sharing strategy that achieves the key-leakage 
rate pair (R,Ri) must satisfy (cf. [21, Eqn. (7)]) 



R < 



1 



1 -e 



-I(K;L) + -+e 2 
n n 



+ £. 



(12) 



From Conditions 2, 3, and the chain rule, we have 



-I(K;L) < -UK; L\Z n , + -I(K; Z n \^ + -UK;$>\¥) 

n n n n 

1 1 n 

< -I(K;L\Z n ,&,¥) + R l + 2s< -J2 I ( X f> Y j\ Z j)+ R l + 2s , 



where the last inequality is due to the bound I(K; L\Z n , < YTj=i I(Xj;Yj\Zj) which is shown 
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in [11, pp. 1129-1130]. Similarly, using the chain rule and Condition 2, we also have 

-I(K;L) < -I(K-L\<&\¥) + -I{K-<&\¥) 

n n n 



1 1 n 

< -I(K;L\^,¥) + e< - TliXj-^ + e, 



n n 

3=1 



where the last inequality is due to the bound I(K; < Y^j=i Yj), which again can be 

shown by a simple modification to [11, pp. 1129-1130]. 

As in [21], let Q be a uniform random variable that takes value from {1,2, ... ,n} and is independent 
of all other random quantities. Define (X,Y,Z) = (Xj,Yj, Zj) if Q = j. Then p^ z\x) = 

Py,z\x(V: z\x). Combining the two upper bounds on ~I(K; L) above, we have 

^I(K;L) < mm {i (X ; Y\Z, Q) + R h I (X;Y\Q)} + 2e 

< minh(X;Y\Z) + R l ,I(X;Y)j+2e. (13) 



The power constraint |lj) implies that i?[|X| 2 ] < P. Combining (12i and (13 1, we obtain 

' - tnin i / (A: ) Z) + h'i . / ( A : ) ) } + 2: - 

n 



R < 



(14) 



1-e 

Since e can be arbitrarily small, ( fT4| ) implies the converse result, i.e., 

R < mm [l(X;Y\Z) +R h I(X;Y)X 

< max mm{I(X;Y\Z) + Ri,I(X;Y)} 
~ X:E[\X\']<F\ ' V ' n 

max mm{I{X-Y) - I[Y;Z) + R h I(X;Y)} , 

where the last line is due to the fact that p(y, z\x) = p(y\x)p(z\x). 

The achievability proof based on random Wyner-Ziv coding in [21, Section 4] can be used to achieve 
the i?/-relaxed key capacity with proper modifications. Since the code construction statement in [21, 
Section 4] is rather long, we only point out here the steps that are different for the current case due to 
space limitation. The other details of the proof can be found in [21]. We also adopt the notation of [21] 
for easy reference. 

First, fix the source distribution p{x) that achieves the maximum in the ii;-relaxed key capacity 
expression. If Ri < I(Y; Z), then modify the code construction in [21, Section 4] with the new definitions 
of R 3 = I(X; Y) - I(Y; Z) + R t - e and R 4 = I(Y; Z)-R { - lie. Note the p(y\y) should be chosen 
to make these rates positive. The asymptotic negligibility of ^I(K; J) conditioned on the code C n used 
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in [21, Section 4] is the only argument needed in this case that is not explicitly shown in [21, Section 
4]. We assume below that the code C n is used. To establish that, first similar to (73) of [21] , we have 

I(K;J)<I(L;J) + 8neR 3 + l. (15) 

by using an argument similar to that of (73) of [21]. Then for j = 1,2,..., 2 nRa and I = 1, 2, . . . , 2 nRa , 
we have 

Pr{J = j,L = l} = ^PrjiW = j + (I - l)2 nR * + {w - l)2 n{R2+R ^} 

w=l 

c)-n{R 2 +Ri-7e) 
< z < 2 -™(^2+/?3-8e) 

1 — £ 

for sufficiently large n, where the first inequality is from [21, Part 3 of Lemma 6]. In other words, 
H{ J, L) > n(i?2 + R3 — 8s) for sufficiently large n. Hence, together with the facts H (L) < nR 3 and 
H(J) < ni?2, we have 

I(L; J) = H{L) + H(J) - H(J, L) < nR 3 + nR 2 - n(R 2 + R 3 - 8e) = 8ne. 

Putting this bound back to ( p"5j ), we obtain ±I{K;J) < 8e(R 3 + l) + ±. Since e can be chosen arbitrarily, 
we establish the achievability of the relaxed key capacity. On the other hand, if R[ > I(Y; Z), the code 
construction described above can be trivially modified to achieve the relaxed key capacity by setting 
i?4 = and i?3 arbitrarily close to I(X; Y). 

Appendix II 
Proof of LemmaQ] 

As mentioned in the proof of Theorem [2j we adapt the proof of [25, Theorem 3] to prove this lemma. 
The main argument is to establish that there is a secret sharing (d v , d c ) -regular LDPC code ensemble 
(C, W) for which the ensemble average error probabilities e s and e w simultaneously vanish as n increases 
under the assumptions stated in the lemma. 

To that end, we first examine the average weight spectra of the code C and subspace W in the LDPC 
code ensemble: 



Lemma 2: Consider the ensemble of (n, /, k) secret sharing code (C, W) described in Section IV For 
< m < n, let S m and T m be the average numbers of codewords of Hamming weight m in C and W, 
respectively. Then, we have 

S m = ( n j Pr(x" G C\w(x n ) =m) (16) 



2 l-k _ l 



T m — 2' 1 ' ^ m ~ ^ (17) 
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where w(x n ) is the Hamming weight of x n . 



Proof: Eqn. ([T6J), given in [25], is obvious. It is also clear from the description of the code ensemble 
in ISection IVl that 



Pr(x™ G W\x G C, w(x n ) = m) ■ Pr(x n G C\w(x n ) = m) 



S m -Pr(x n G W|x™ G C,w{x n ) 



m) 



(18) 



Consider any Xq ^ n G C, 
Pr(x£ G W|xg G C) 



number of (Z — k) -dimensional subspaces in C that contain Xq 
number of (Z — /c) -dimensional subspaces in C 



l-k 



The number of (Z — k) -dimensional subspaces in C is J^J 



->l-u+l 



1 



u=l 



(see [30, Theorem 7.1]). Further, 



let Xq = {CPjXq}, and let C = C/Xq be the quotient of C by Xq. Then C is a (I — 1) -dimensional 
linear space. If W is an (Z — A;) -dimensional subspace in C that contains Xg, then W' = W/Xq is an 
(Z — k — 1) -dimensional subspace in C . On the other hand, suppose that W' is an (Z — k — 1) -dimensional 
subspace in C. Then W = U w n + x eW w ™ + is an — A;) -dimensional subspace in C that contains 
Xg. It is also easy to see that the correspondence between W' and W above is one-to-one. As a result, 



the number of (Z — k) -dimensional subspaces in C that contain Xq must be the same as the number of 

/— k— 1 7 

' ^ x 2 1 

{I — k — 1) -dimensional subspaces in C, i.e., ^i-k-u 7' 

u=l 



Pr(x^ G W|x " G C) = 



So we have 
1 



for all Xq 7^ G C. This implies 

Pr(x n G W\x n G C,w(x r 



-,1-k 



m) 



2 l -l 



< r 



for < m < n. Putting this back into ([18]), we obtain ( 17 1. 



For C chosen uniformly from the (d v , (i c )-regular LDPC code ensemble as described in Section IV 
upper bound on Pr(x n G C\w(x n ) = m) is also available in [25, Lemma 2]: 

• If md v is odd, Pr(x ra G C|u;(x n ) = m) = 0. 

• If md v is even and md v < 2(n — I), Pr(x n G C\w(x n ) = m) < 



an 





md v 




2{n-l) 



md v 



If mti^ is even, Pr(x" G C|t<;(x n ) = m) < [(n - Z)d c + 1] 



2m^ 



In addition, Pr(x n G C|u)(x f 
even. 



m 



Pr(x n G C|w(x n ) = n — m) (and hence S n - 



S m ) if 4 is 
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Next, we employ Lemma [2] and the combined union and Shulman-Feder bound in [25, Theorem 1] to 
bound e s and e w . To bound e w , consider the channel with Y n as input and Z n as output. First, note that 
Y n contains i.i.d. equally likely binary elements. Hence, this channel is a memoryless BISO channel, and 
is specified by the conditional pdf p z ^ y {z\y) = p z \ x (z\l)p X \ Y (l\y) + Pz\x(A ~ 1 )p x \y ( _1 l£0- Since 
Eg + Xq + W is a coset and the channel is memoryless BISO, it suffices to assume Y n = Xq G W. 
In addition, note that all possible Xq sequences are equally likely. Now, let K = -j- In 1 ^ and /3 = 
2(i-R c ) ^-i2-K ^ p or an y ^ < ^ < I ; applying the bound in [25, Theorem 1] to the subcode W, the 
ensemble average decoding error probability of the ML decoder at the wiretapper can be upper-bounded 



as 



e,„ < < 



n + r 2 + 2-' nE ?( R <- Rk+ ^ a -) for odd d c 

ti + r 2 + r 3 + t 4 + r 5 + 2~ nE ^ ( R °- R *+i lo e* a ») for even d c 



where t-i — S^P n T D m m — V 7n T n m T , — V n_ ^ n_1 T D" 1 i-„ — V n_1 

r 5 = T n L>™, D w = f Jp z \y(z\l) ■ V z \y(A ~ x ) dz > 



m—n—pn 



(19) 

T D m 
- 1 m J - J w > 



T m 2 
max me{7n+l,...,n} 2'- k — 1 



(:) 

? m 2" 



for odd <i c 

max mg | 7n+1) n _ 7 „_i} 2 '-™-i ' prj f° r even d c , 
and E™{R) = max, maxo< p <i{£'^(p, (?) — pi?} is the random coding error exponent with 



E%(p,q) = -log 2 / UlJp^^lljVa+PJ+^-lJp ? ( Z |-1)1/(1+P) 



'z ) 1 • 1 1 ' T */(.- 1 '/'z v' -i - •" dz, 

and g is the probability mass function (pmf) of the channel input Y. It is known that the optimal q is 

g(l) = q(-l) = 0.5. 

Employing Lemma [2] and the bound on Pr(x n € C|w(x n ) = m) that follows (see also [25, Lemma 
2]), it is not hard to further bound the various terms in (fT9]l: 



n < < 



2 -nJfc „i-d./2 (1 _ Rc ydj2 (Wi for even ^ 



(l-Dl) dj 



for odd (i^, 



< -{logan + logaKn-fcJdc + l]}-!^ 
n n 



+ max \xlog 2 D w + H 2 (x) + (l-R c )(log 2 [l + {l-2x) d ")-l)}, 

/3<x<j ^ V /J 



and for even d c , 



/3n 



_ \ /-.m r\n—2m ^ _ 7-in(l 



-2/3) 



m=l 
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l0g 2 T 3 log 2 T 2 

< 1" (1 - 27) log 2 Au, 



n 



n 



and 

Also, 

log 2 « t 
n 



< < 



- {1 + log 2 [(n - i)d c + 1]} + (1 - i? c ) max log 2 [l + (1 - 2x) d <=] for odd d c 
-{l + log 2 [(n-Z)d c + l]} + (l- J R c ) max log 2 [l + (1 - 2x) dc ] for even d c 

k fl " 7<£<1— 7 



< - {1 + log 2 [(n - l)d c + 1]} + (1 - R c ) log 2 [l + (1 - 2 7 )<H 

For bounding e s , note that the channel with Y n as input and X n as output is a memory less BSC and is 
specified by the conditional pmf p x ^y(x\y) = p-p| X (y|x). Again, since Eg + C is a coset and the channel 
is memoryless BISO, it suffices to assume Y n = Xfi G C. With this identification, the resulting bound 
on e s follows the same line of arguments as above, and is essentially given in [25]. We summarize the 



bound below for later reference: 



e., < < 



ai + cr 2 + 2 



-nE s r (R c + ± log 2 a s ) 



for odd cL 



a 1 +a 2 + a 3 + a A + a 5 + 2~ nE ^ + ^ log = for even d c , 



(20) 



where 



<7l < < 



n i-*./2 ( i _ jRc )-^/2 for even dv 



n 2 d * (1 R c ) d 2(;| 7 .- T (/ 



(d./2)l 

^ — - — for odd (/,.. 



< i{Iog 2 n + log 2 [(n-Odc + l]} 



+ max \xlog 2 D s + H 2 {x) + {l-R c )(log 2 [l + (l-2x) d ']-l)\, 

/3<x<j l- V / J 



and for even cL 



/3r, 



_ \ nm nn-2m ^ _ r\n(l—2B) 

m=l 

log 2 0"3 log 2 C7 2 



< 



n 



n 



+ (l-2 7 )log 2J D s , 



and 



fT5 < D's = 2 nlo ^ D % 
< I {1 + log 2 [(n - 0d c + 1]} + (1 " ^c) log 2 [l + (1 - 2 7 )<H 
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with D s = 2y/p X |y(l|l) -p X |y(l| — 1), and E*{R) = max, maxo< p <i{-E'o(P) l) ~ pR\ * s tne random 
coding error exponent of the channel of interest based on 



E s (p,q) 



log 2 \ g^p^m 1 ^ + q(-l)p x] y(l\ - l)Vd+rt 



+ 



q {l)p x , Y {-l\lfl^ +q(-l) Px lY (~l\ - ljVd+P) 



Recall that i? c < C s (f3) and R c -Rk < C w 0). Choose e > small enough such that i? c + 2e < C s (/3) 
and R c — Rk + 2e < C w 0). For any < 7 < 0.5, there exist large enough d v and d c such that 



1) 



1-Rc 



2) 0<^< 7 , 

3) K < e, and 

4) log 2 [1 + (1 - 2 7 )^] < e. 
With this choice of (d v ,d c ), we have 

max \H 2 (x) + (1 - i? c ) (log 2 [l + (1 - 2x) d «] - l)\ 

< H 2 ( 7 ) + (1 - R c ) {log 2 [l + (1 - 2£) d °] - l} 

< tf 2 ( 7 ) + (l-i? c ) [log 2 (l + e~ 2 ^) -1 



< H 2 (n) + (1 - R c ) [log 2 (l + e 



,-4e" 



1 



for any < 7 < 0.5, where the second inequality follows from the inequality 1 — 2x < e 2x and the 
last inequality follows from the definition of f). Hence, we can make 

max \h 2 (x) + (1 - R c ) flog 2 [l + (1 - 2x) d °\ - l) } < 

/3<x<j I V / J 

by choosing 7 small enough since C s (/3) < 1. Thus for sufficiently large n, we get the following results, 
!) k lo S2 T2 < and ± log 2 r 3 < 0, 

2) \ log 2 cj 2 < and \ log 2 03 < 0, 

3) Rc-Rk + l log 2 a w < R c - R k + (1 - R c )e + e < C w (^), and 

4) i? c + I log 2 a s < R c + (1 - i? c )e + e < C s 0). 

Further, by the well known fact that the random coding exponent is positive if its rate argument is below 
channel capacity, we obtain the stated asymptotic behaviors of e s and e w . 
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TABLE I 

Degree distribution pairs of the rate-0.25 and rate-0.12 secret sharing irregular LDPC codes obtained 

FROM THE CODE SEARCH PROCESS DESCRIBED IN lSECTION V-BI 





rate-0.25 


rate-0.12 


A 2 


0.2807 


0.3651 


A 3 


0.1490 


0.1610 


A 4 


0.0725 




A 5 




0.1081 


A 6 




0.0540 


A 7 


0.0599 




A 8 


0.1343 




An 




0.1123 


A12 




0.0057 


A21 


0.0697 




A22 


0.0872 




A28 




0.0650 


A29 




0.0403 


A 70 


0.0006 




A71 


0.0264 




A72 


0.1197 




As7 




0.0806 


A88 




0.0799 


P4 




0.9705 


PS 


0.4637 


0.0295 


P6 


0.5363 
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Fig. 1. Comparison between the relaxed key capacities Cb and C'tq for different values of maximum allowable leakage rate 
-Rz over the BSPK-constrained Gaussian wiretap channel. For C'b q , symbol-by-symbol hard-decision quantization is imposed at 
the destination. 
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[15] : (3,5)-/(1,3)-regular 
LDPC code 



Proposed scheme: 
rate-0.4 (3,5)-regular LDPC code 



Proposed" scheme: 
rate-0.25 (3,4)-regular LDPC code 
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Fig. 2. Plot of the (Rk, i?!)-trajectories achieved by the proposed secret sharing scheme employing secret sharing regular 
LDPC codes (C,W) with block length of 10 J . Two cases are shown in the figure. The green curve corresponds to the case of 
P/o 2 = —0.15 dB, a 2 — dB, and C is a rate-0.25 (3, 4)-regular LDPC code. The brown curve corresponds to the case of 
P/o 2 = 2 dB, a 2 = dB, and C is a rate-0.4 (3, 5)-regular LDPC code. For comparison, the corresponding boundary of the 
(Cb q , Ri) region for each case is also included in the figure. For the second case, the (Rk, Ri) rate pair achieved by the scheme 
proposed in [15] is denoted by the square symbol. The code used in that scheme is obtained by concatenating the (3, 5)-regular 
LDPC parity-check matrix and another (1, 3)-regular LDPC parity-check matrix. 
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Proposed schemg:-- " 
rate-0.25 irregular- LDPC code 



Q u 1 1 1 

0.05 0.1 0.15 

R^bpcu) 

Fig. 3. Plot (with circle markers) of the (Rk, ft) -trajectory achieved by the proposed secret sharing scheme employing the 
rate-0.25 secret sharing irregular LDPC code obtained from the code search process described in |Section V-B| The block length 
is set to 10 s . The channel parameter setting of P/a 2 — —1.5 dB and a 2 — dB is assumed. The boundary of the (Cb q ,Ri) 
region for this set of channel parameters is included in the figure. The (Rk, -R;)-trajectory achieved by the proposed secret sharing 
scheme employing a standard rate-0.25 BSC-optimized irregular LDPC code instead is also plotted (with square markers) for 
comparison. 



0.1 



0.05 



at P/a 2 = -4.9dB, a 2 = 5dB 




BSC optimized: ^ -- 
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Fig. 4. Plot (with circle markers) of the (Rk, -Ri)-trajectory achieved by the proposed secret sharing scheme employing the 
rate-0.12 secret sharing irregular LDPC code obtained from the code search process described in |Section V-B| The block length 
is set to 10 s . The channel parameter setting of P/a 2 — —4.9 dB and a 2 — 5 dB is assumed. The boundary of the (Cb q ,Ri) 
region for this set of channel parameters is included in the figure. The (Rk, i?i)-trajectory achieved by the proposed secret sharing 
scheme employing a standard rate-0.12 BSC-optimized irregular LDPC code instead is also plotted (with square markers) for 
comparison. 



